Re: Strange AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That's the problem, I don't think it was a legitimate call. I scanned every single file in /var/www and I don't see presence on uptime call anywhere. I afraid it was a probe to see if the system can be compromised.  I scanned file system for inode 2474106 - it's gone, neither ppid=18807 nor pid=18808 are running, so I am not even sure where else to look.

Sincerely yours,
  Vadym Chepkov


--- On Thu, 10/1/09, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> Subject: Re: Strange AVC
> To: fedora-selinux-list@xxxxxxxxxx
> Date: Thursday, October 1, 2009, 10:06 AM
> On 10/01/2009 05:51 AM, Dominick
> Grift wrote:
> > On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym
> Chepkov wrote:
> >> Hi,
> >>
> >> I am puzzled, what could have caused this kind of
> AVC:
> >>
> >> type=SYSCALL msg=audit(1254270789.862:74347):
> arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532
> a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808
> auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48 fsgid=48 tty=(none) comm="uptime"
> exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0
> key=(null)
> >> type=AVC msg=audit(1254270789.862:74347):
> avc:  denied  { read } for  pid=18808
> comm="uptime" name="utmp" dev=sda1 ino=2474106
> scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> > 
> > Well uptime runs in the httpd_t domain and the httpd
> domain (uptime) tried to read /var/run/utmp file.
> /var/run/utmp has a object type that is owned by init
> scripts for object in /var/run.
> > 
> > you can and should check first to see whether the
> types are correct: should "uptime" in this scenario run in
> the httpd_t domain (is it called from a webapp (non-cgi)
> also is the target object labelled properly (matchpathcon
> /var/run/utmp)
> > 
> > Once that is established you can verify whether
> httpd_t should be able to access the target type:
> > 
> > sesearch --allow -s httpd_t -t initrc_var_run_t 
> -c file -p read
> > 
> > With this information you are going to have to make
> your security decision.
> > 
> > should you allow it or deny it?
> > 
> > I can tell you that in my configuration /var/run/utmp
> also has type initrc_var_run_t. So i guess that is what it
> should be.
> > 
> > What i cannot tell you is why and how uptime is
> executed in this scenario.
> > All i know is that it runs in the httpd_t domain.
> >>
> >>
> >> Sincerely yours,
> >>   Vadym Chepkov
> >>
> >> --
> >> fedora-selinux-list mailing list
> >> fedora-selinux-list@xxxxxxxxxx
> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>
> >> --
> >> fedora-selinux-list mailing list
> >> fedora-selinux-list@xxxxxxxxxx
> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> You would need to add policy to be able to do this. 
> Apache being able to read utmp could allow a hacker to
> figure out all the user names that have logged onto a
> system.  It is denied by default.
> 
> You can easily add custom policy using audit2allow.
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux